data/selinux: allow snaps to read certificates #12050
Merged
Commits on Aug 18, 2022
-
data/selinux: allow snaps to read certificates
This fixes an error occurring in our spread tests on Centos: 2022-08-17T12:52:45.7861235Z type=AVC msg=audit(08/17/22 12:52:06.099:6583) : avc: denied { open } for pid=71804 comm=snap path=/etc/pki/tls/openssl.cnf dev="sda2" ino=33578739 scontext=system_u:system_r:snappy_cli_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 2022-08-17T12:52:45.7898682Z type=AVC msg=audit(08/17/22 12:52:06.099:6583) : avc: denied { read } for pid=71804 comm=snap name=openssl.cnf dev="sda2" ino=33578739 scontext=system_u:system_r:snappy_cli_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 2022-08-17T12:52:45.7899442Z type=AVC msg=audit(08/17/22 12:52:06.099:6583) : avc: denied { search } for pid=71804 comm=snap name=pki dev="sda2" ino=50341665 scontext=system_u:system_r:snappy_cli_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1 Note that with this change we are not removing the call to miscfiles_read_all_certs(snappy_t) because it was actually present twice in this file.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.